Despite stringent security measures, if hackers attack your suppliers, your company might be at risk. Such breaches, known as supply-chain attacks, made headlines this past year when SolarWinds, and later Kaseya, were compromised.
SolarWinds unknowingly passed along spyware from Russian cyber-operatives in system updates to its Orion network monitoring software, exposing countless corporations and government agencies to illegal surveillance, data theft, and malware. In the case of Kaseya, hackers implanted ransomware on dozens of client systems using Kaseya’s VSA endpoint management and network monitoring product.
No business is immune. Your security can be breached if your technology vendors are compromised. This scenario brings attention to the need to minimize vulnerabilities, and one of the best defenses is proactive contract management.
Security Stipulations to Include
Automated contract management software can enhance security, especially with complex contracts containing cybersecurity provisions. These contracts typically include both technical and procedural requirements that may specify adherence to industry-recognized cybersecurity frameworks (with U.S. government contracts, many such issues are covered in Federal Acquisition Regulations that are incorporated by reference into contracts). Agreements also outline the process to be followed in the event of a data breach, along with the remedies available to each party.
The best time to address such issues is while negotiating new contracts because you’ll have more leverage with suppliers during this phase. You also have to deal with existing contracts, which are likely to have outdated cybersecurity provisions that don’t reflect today’s threat environment, newer protective technologies, or changing regulatory requirements.
In light of the increase in attacks, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is urging all businesses, regardless of industry, to review all contracts to ensure suppliers are keeping data secure. CISA recently published an advisory recommending that all businesses confirm contracts are addressing certain security considerations.
There are four security stipulations that should be included to guarantee the vendor will:
- Use security controls that the customer deems appropriate
- Use appropriate monitoring and logging of provider-managed customer systems
- Use appropriate monitoring of the service provider’s presence, activities, and connections to the customer network
- Provide notification of confirmed or suspected security events occurring on the provider’s infrastructure and administrative networks
This extensive review is daunting without the help of automation.
Timing Is Everything
Modern contract lifecycle management (CLM) software uses artificial intelligence (AI) to analyze contracts, enabling you to see which contracts —including vendor agreements — include cybersecurity language and the specific security practices guaranteed in writing. This enables you to fully understand each parties’ obligations and to assess any gaps that exist.
With CLM software, you can extend your security review further down the supply chain. You didn’t have to be a SolarWinds or Kaseya client to be affected by the attacks, you simply had to be a customer of one of their compromised customers.
This level of rigor isn’t new for security pros in regulated industries who have been dealing with HIPAA and the Payment Card Industry requirements for many years. However, proactive and intelligent contract management must now be part of security best practices in all industries given the current threat landscape.
Any time you entrust your critical business data to a third party or give another entity regular access to your software and/or network, make sure to get data security guarantees in writing. If you’re a supplier as well as a customer in a supply chain, make sure commitments to your clients don’t exceed what your suppliers have committed to you. An attack on one of your suppliers can put you, and potentially downstream customers, at risk.
It’s likely that supply-chain attacks will only increase in number and severity, so it’s time to act now. Want to learn more? Read our eBook to learn how you can use LinkSquares to improve your contract management and your cybersecurity posture.